"Let's bury our bad news on a busy news day" - disturbing ICO revelations on 'International Right To Know Day' - A Privacy International Report
Freedom of Information ICO style
Privacy International has frequently criticised the UK Information Commissioner's Office (ICO) for shortcomings ranging from timidity to technical ignorance. However material just received from a Freedom of Information request to the Office reveals that the regulator has crossed a line from incompetence to possible malpractice that is serious enough to warrant a Parliamentary investigation.
The ICO has responsibility for the operation of both the UK Data Protection Act and the UK Freedom of Information Act. This dual responsibility is not unusual in the regulatory world, though the combination can lead to a conflict of interest when it comes to FOI requests about the Commissioner's Office itself.
Background
In June 2011 the ICO threw out a complaint [1] by PI and No-CCTV against a company called "Internet Eyes", which is a subscription site offering a cash bounty to anyone who scans online CCTV images and reports alleged shoplifters. We asserted that the enterprise was in breach of data protection but the ICO disagreed, deciding instead to allow the company to proceed subject to signing an undertaking of good behaviour [2].
At the time Privacy International described the decision to mandate bad information practices through an undertaking of good conduct as being the equivalent of "requiring the doctor for a prison execution chamber to sign a Health and Safety undertaking". In our view Undertakings have become an easy way out for the regulator and for transgressors. In many circumstances they are a licence to conditionally continue bad privacy practices.
The decision alarmed many rights advocates but did not come as a surprise to PI, which in almost twenty years has almost never secured a successful complaint with the ICO even when colleague commissioners across Europe had supported our position. This was the case particularly with fingerprinting of school children, Google Street View, wireless network harvesting, privacy settings on Social Networking sites, online advertising, financial privacy, data sharing, electronic visual surveillance, road & traffic surveillance and regulation of offshore Internet companies.
The decision to require an undertaking, although constituting ninety percent of all regulatory action by the ICO, is subject to no formal guidance. Senior officials at the ICO clearly recognized that the decision to issue an Undertaking was an error of judgment, but by the time they had learned of the decision the course of action could not be reversed. They instead decided to engineer aggressive media management to bury a potentially critical news story.
The ICO, which is in effect a quasi-judicial body, had in our view always exhibited a bizarre internal culture that was far removed from the consistent advocacy demonstrated by some other regulators. It has traditionally taken a pragmatic rather than a principled position on privacy issues, hence the almost complete absence of judgments in favour of stronger privacy.
Freedom of Information request
PI and No-CCTV decided to lodge a Freedom of Information (FOI) request with the ICO to discover the rationale behind its decision to refuse our complaint against Internet Eyes, requesting all memos, emails and correspondence relating to the matter. This was submitted in mid June. The ICO responded by stalling the application:
I can confirm that we do hold the information you have requested. However we consider that the exemption at section 36(2) (b) (ii) of the Freedom of Information Act 2000 applies to this information. This allows information to be withheld from a response to a request for information under that Act if the disclosure of the information "would, or would be likely to, inhibit ? the free and frank exchange of views for the purposes of deliberation ?"
Thus the regulator responsible for FOI used a contentious and controversial exemption to stall a request for information about its own activities. While arguing publicly that FOI could not be exempted to save embarrassment the Commissioner's Office had used it to disguise its own embarrassment.
However on 11th August we received some material relating to our request [3]. Almost thirty percent of the correspondence was blacked out, something we'll be asking questions about in due course, but the exposed content provides a devastating insight into the attitude and modus operandi of the ICO.
In short, the ICO was deeply concerned about possible adverse press coverage from its decision and conspired to bury the story on a busy news day. This effort together with associated aspects raises a number of crucial questions about the ICO's competence and integrity.
It's understandable at some levels that on 6th June Senior Press Officer Kirsty McCaskill sent an email to Deputy Commissioner David Smith asking
Can we time the letter arriving with Privacy International with our news release going out? Want to minimise risk they'll go out and do their own statement without our side of the story being ready.
The effect of this strategy is that the complainant receives the judgment on the same day that a crafted media release is distributed by the regulator. Thus there is no opportunity for the complainant to carefully analyse responses to complex judgments in advance of media interview requests.
There's a view that any organisation - even a quasi-judicial organisation - has the right to ensure that its genuinely held beliefs receive a fair hearing. We accept that there's some basis for this view but we believe that it is poor practice for a regulator to play media politics.
Spinning the story
However the next day David Smith was again approached in the following terms:
it has occurred to us that the ICO may not wish this release to stand out from the crowd - maybe it world (sic) be better to send the letter today and publish Wednesday or Thursday this week to 'bury' it amongst others?
Some readers may recall a memorable firestorm just after 11th September 2001 concerning Jo Moore, disgraced former Special Adviser to Stephen Byers, then Minister for Transport and Local Government. A leak revealed that on the day of the terrorist attacks Moore had circulated an email suggesting:
It's now a very good day to get out anything we want to bury. Councillors' expenses?
Kirsty McCaskill again wrote to Diane Slater and David Smith:
Yes, we would ideally not want this to attract much publicity but as Privacy International is the complainant this is no easy task. No doubt they will issue their own response proactively as soon as they receive our letter. We will do our best to draft a news release asap this week and will co-ordinate timings so that the letter hits Privacy International at the same time as sending out our news release. Will do our best to try to pick a day when it looks like a busy news day out there but - as you'll appreciate - this is difficult to predict.
Again, the clear message is "let's bury the story".
We might have expected that such behaviour would spark the ire of senior management, along with some form of disciplinary action. However the ICO's Head of Strategic Liaison, Jonathan Bamford responded to ICO staff with the following advice:
On a general point of caution I think it is possible that we will get FOIA requests for our deliberations on this issue? I think we should all bear that in mind when deciding on the language we use in our email traffic?
We would have very much liked to see the correspondence that directly relates to the ICO's "investigation" of Internet Eyes, but that correspondence has been withheld.
Cultural dysfunction
PI has condemned the ICO on countless occasions such as:
https://www.privacyinternational.org/blog/uk-information-commissioners-office-case-justifiable-assisted-suicide
http://www.infosecurity-magazine.com/view/1482/privacy-international-slams-ico-ruling-on-google-street-view/
http://www.itpro.co.uk/630649/privacy-groups-lambast-ico-after-bt-decision
https://www.privacyinternational.org/article/civil-liberties-groups-say-uk-information-commissioner's-office-not-fit-purpose
and https://www.privacyinternational.org/article/pi-calls-review-uk-privacy-regulator-following-series-failed-judgements
What these statements demonstrate is a fundamental tension between the regulator and advocates and a belief that the ICO has failed to advocate for rights and is therefore not fit for purpose.
However the latest disclosures take this tension to a new level. Until now we had understood the ICO to be a fundamentally misguided organisation with a dysfunctional culture. What we now realise is that at least part of the culture is malicious and behaves no better than what you might find in a combative corporate press office. Again, it is crucial to recall that the ICO is a quasi judicial body.
One of the key issues identified by the disclosure is a claimed chaotic and misguided culture within the ICO's organisation. We do not argue that the entire office is hostile to privacy rights, but the prevalence of a culture of negotiation has paralysed an institution and created a culture that is not only in confusion, but also which is in conflict. The ICO enjoys a reputation as "guardian" of rights, and never seeks correction when media describes it in those terms. However when deliberating on issues the Office reverts to a pragmatic framework with an overriding imperative of protecting economic interests.
We are conscious of the complexity of these issues and that in the regulatory context the malaise extends far beyond the ICO. In April 2009 PI issued a statement [4] condemning the ICO's failure of process.
Privacy International believes that alongside the problem of rampant pragmatism within the ICO, the Office lacks appropriate technological awareness. We believe the Office urgently needs to establish a Technical Advisory Board to help it understand the true scale of threats from new technologies? Of equal urgency is the matter of process. If the ICO is to determine public interest and pragmatic reasoning it should publish guidelines to these determinations. It must also demonstrate a greater regard to openness in its dealings with government and commercial organisations.
The statement continued:
While it is true that Privacy International often brings difficult and complex cases to the ICO, it is equally true that the tone of the responses is increasingly defensive and political in nature. We fear that the Commissioner is content to uphold fringe cases of occasional security abuses while allowing new technologies and technologies to cut a vast swathe through privacy.
Some key questions
The information reviewed here raises a number of troubling questions that we feel must be resolved openly and speedily. Among these are:
- To what extent are the processes within the regulator's office driven by a preoccupation with perception management and is this priority appropriate for a quasi-judicial body?
- To what extent is specific enforcement action on complaints pre-determined and what is the basis for this pre-determination?
- What is the precise role and mandate of the regulator's press office and is it appropriate for press management to be conducted by an external party outside the culture of the regulator?
- Precisely how does the regulator determine the efficacy, appropriateness and outcome of measures such as Undertakings and Enforcement Notices?
- Who - if anyone - within the regulator's office is responsible for monitoring the overall ethical conduct and procedure of a complaint?
- Should a regulator conduct investigations in the "public interest" in secret?
- How sustainable is it for a regulator to decide issues outside a clearly stated framework of reasoning?
- To what extent should a regulator consider its own media management as being more important than deliberating the virtue and relevance of the information itself?
- Is it appropriate for the regulator responsible for Freedom of Information to use contentious exemptions in the law to obfuscate its own processes?
- To what extent does the regulator rely on technical expertise in its deliberations and does it have appropriate technical resources at its disposal?
Getting it right for the future
Successive Commissioners have told us that civil society has the "luxury" of freedom to act and speak however we choose without legislative restriction. They argue that they must retain an impartiality and detachment that prevents them for taking an advocacy position on issues. This is not our reading of the Data Protection Act, nor is it an interpretation made by many regulators.
However if we are to accept that the ICO must maintain judicial standards of behaviour then the machinations underlined by the latest disclosure are completely unacceptable.
Endnotes:
- [ 1] - http://www.no-cctv.org.uk/materials/docs/ICO_complaint_internet_eyes.pdf
- [ 2] - http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/taking_action.aspx#undertakings
- [ 3] - http://www.no-cctv.org.uk/materials/docs/ICO-FOI-Final_redacted_doc-July_2011.pdf
- [ 4] - https://www.privacyinternational.org/article/pi-calls-review-uk-privacy-regulator-following-series-failed-judgements
For more background on the Internet Eyes game see:
- Internet Eyes and the privitisation of the surveillance society
http://www.no-cctv.org.uk/blog/internet_eyes_and_the_privitisation_of_the_surveillance_society.htm - BBC runs free prime-time advert for controversial CCTV game
http://www.no-cctv.org.uk/blog/bbc_runs_free_prime-time_advert_for_controversial_cctv_game.htm - The launch of CCTV citizen spy game Internet Eyes
http://www.no-cctv.org.uk/blog/the_launch_of_cctv_citizen_spy_game_internet_eyes.htm - Complaint to ICO calls for halt to Internet Eyes CCTV game
http://www.no-cctv.org.uk/blog/complaint_to_ico_calls_for_halt_to_internet_eyes_cctv_game.htm - No CCTV / PI complaint (2009)
http://www.no-cctv.org.uk/materials/docs/ICO_complaint_internet_eyes.pdf - No CCTV / PI follow-up complaint (2011)
http://www.no-cctv.org.uk/materials/docs/2011_Complaint_Internet_Eyes.pdf